Hackerzhome

hackerzhome-logo-bg

Cybersecurity news all over the world

HACKERZHOME NEWS

April 17, 2023

Monday

Google Discovers APT41 Targeting of Media and Job Sites with the Open Source GC2 Tool

In the context of greater misuse of Google’s infrastructure for harmful purposes, a Chinese nation-state group targeted an unknown Taiwanese media outlet to deliver the open-source red teaming tool known as Google Command and Control (GC2).

The IT giant’s Threat Analysis Group (TAG) identified the threat actor as HOODOO, also known as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti, which it tracks under the geological and geographically themed appellation HOODOO.


The assault begins with a phishing email that connects to a password-protected Google Drive file that combines the GC2 tool to read commands from Google Sheets and exfiltrate data using the cloud storage platform.


According to Google, the threat actor previously used the same malware to attack an Italian job search website in July 2022.


The change is noteworthy for two reasons: First, it suggests that, in order to thwart attribution efforts, Chinese threat organizations are increasingly depending on freely accessible tools like Cobalt Strike and GC2.


As a result of Go’s cross-platform compatibility and modular design, it also highlights the expanding use of malware and utilities developed in the language.


Google added advised that because of its indisputable worth, fraudsters and actors with government backing have turned to cloud services as a profitable target, “either as hosts for malware or providing the infrastructure for command-and-control (C2).

NEWS 1
Google Discovers APT41 Targeting of Media and Job Sites with the Open Source GC2 Tool

Breaking news

LIVE

You are not up to date!

Subscribe to our newsletter and stay updated on cybersecurity news

Mac-specific LockBit ransomware encryptors have been discovered.

The LockBit ransomware group has developed encryptors exclusively for Macs for the first time, making it possibly the first significant ransomware operation to ever target macOS.

Cybersecurity expert MalwareHunterTeam spotted a ZIP download on VirusTotal that had what seemed to be the majority of the LockBit encryptors that were readily available, and it was this package that contained the new ransomware encryptors.

Encryption tools were developed and have traditionally been used by the LockBit operation to attack Windows, Linux, and VMware ESXi systems.

However, as can be seen in the picture below, this collection [VirusTotal] also included encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs that were previously unidentified.

One more of these encryptors, dubbed “locker_Apple_M1_64” [VirusTotal], is directed toward the more recent Macs using Apple Silicon.

The PowerPC CPU lockers, used by older Macs, are also included in the repository.

An Apple M1 encryptor submitted to VirusTotal in December 2022 was discovered after further investigation by cybersecurity researcher Florian Roth, proving that these samples have been circulating for some years.

NEWS 2

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news:

April 17, 2023 /

Monday

Hackerzhome News

2

Have you heard?
Legion: New Hacking Tool Harvests Login Information From Sites With Configuration Issues Know more!

38 Web Browsers Are Targeted by a New Zaraza Bot Credential Stealer Sold on Telegram

38 Web Browsers Are Targeted by a New Zaraza Bot Credential Stealer Sold on Telegram

Zaraza bot, a novel credential-stealing virus, is being sold on Telegram and also makes use of the well-known messaging platform as a command-and-control (C2) server.

According to research released last week by cybersecurity firm Uptycs, the Zaraza bot regularly spreads on a Russian Telegram hacker channel that is well-liked by threat actors and targets a huge number of web browsers.

Sensitive information is extracted from the victim’s machine after infection by the malware, and it is then sent to a Telegram server where attackers can quickly access it.

Zaraza bot is a 64-bit binary file created with C# that can target up to 38 different web browsers, including Google Chrome, Microsoft Edge, Opera, AVG Browser, Brave, Vivaldi, and Yandex. Additionally, it has the capability of taking screenshots of the open window.

It is the most recent instance of malware that is capable of stealing login information for online bank accounts, bitcoin wallets, email accounts, and other websites that the operators deem valuable.

Stolen credentials present a major concern since they enable threat actors to commit identity theft and financial fraud in addition to gaining unauthorized access to victims’ accounts.

NEWS 3

Data Exfiltration by Vice Society Ransomware Using a Sneaky PowerShell Tool

Data Exfiltration by Vice Society Ransomware Using a Sneaky PowerShell Tool
NEWS 4

Threat actors linked to the Vice Society ransomware gang have been seen employing a custom PowerShell-based application to hide and automate the data exfiltration process from affected networks.

Vice Society is an extortion-focused hacking gang that first appeared on the scene in May 2021. It is tracked by Microsoft under the number DEV-0832. It is well known that it uses ransomware binaries that are offered on the dark web to achieve its objectives.

SentinelOne provided information about the group’s employment of PolyVice, a ransomware variant that employs a hybrid encryption strategy that combines symmetric and asymmetric encryption to safely encrypt files, in December 2022.

The Unit 42 PowerShell script (w1.ps1) identifies the system’s mounted drives to function.

The data exfiltration script’s discovery serves as an example of the continuous danger of double extortion in the ransomware world. Additionally, it reminds businesses to prioritize strong security safeguards and maintain vigilance against new threats.

Chinese app uses Android flaw to spy on users, CISA warns

The Chinese e-commerce app Pinduoduo is suspected of having used a high-severity Android vulnerability as a zero-day to spy on its users, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

On unpatched Android devices, this security hole in the Android Framework (CVE-2023-20963) enables attackers to increase their privileges without needing user input.

On March 21, Google removed the official shopping app of the massive Chinese e-commerce site Pinduoduo from the Play Store after finding malware in off-Play versions of the app, labeling it as harmful, and informing users that it could grant “unauthorized access” to their data or device. Pinduoduo claims to have over 750 million monthly active users.

Days later, Kaspersky researchers also disclosed they had discovered versions of the app that exploited Android flaws (one of which, according to Ars Technica, is CVE-2023-20963) for privilege escalation and the installation of extra modules intended to spy on users.

Igor Golovin, a security researcher for Kaspersky, was quoted in Bloomberg as saying that some Pinduoduo app versions contained malicious code that took advantage of well-known Android security flaws to elevate privileges, download, and run additional malicious modules, some of which also gained access to users’ notifications and files.

On Thursday, CISA updated its list of known exploited vulnerabilities to include the CVE-2023-20963 issue. Federal Civilian Executive Branch (FCEB) organizations in the United States have until May 4 to secure their equipment.

Chinese app uses Android flaw to spy on users, CISA warns
NEWS 5

For placing advertisements and promotions in this newspaper, or anywhere on our website, contact us through email at [email protected] or fill out this contact form.

Share this news: